Move list permission from keystore2_key to keystore class. The list permission protects the ability to list arbitrary namespaces. This is not a namespace specific permission but a Keystore specific permission. Listing the entries of a given namsepace is covered by the get_info permission already. Ignore-AOSP-First: This needs to land in googleplex first to updated prebuilt vendor images. Otherwise it breaks aosp-with-phone builds. Test: N/A Change-Id: If6e79fd863a79acf8d8ab10c6362a4eeaa88a5b8

commit: 144c822018006244e6cb4f3a538fbb13df56d058 [log] [tgz]
author: Janis Danisevskis <jdanis@google.com> Thu Sep 24 08:55:28 2020 -0700
committer: Xin Li <delphij@google.com> Thu Oct 01 05:33:31 2020 +0000
tree: f52ce32ec3ca6eb0c0473ac0cec9addc8e6a7fa8
parent: cc932836c1d7266171d644f4a74a2030824602dd [diff] [blame]
diff --git a/private/binderservicedomain.te b/private/binderservicedomain.te
index cbe8ed7..7275954 100644
--- a/private/binderservicedomain.te
+++ b/private/binderservicedomain.te

@@ -19,6 +19,6 @@
 
 allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
 allow binderservicedomain keystore:keystore2 { get_state };
-allow binderservicedomain keystore:keystore2_key { delete get_info list rebind use };
+allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
 
 use_keystore(binderservicedomain)
commit	144c822018006244e6cb4f3a538fbb13df56d058	[log] [tgz]
author	Janis Danisevskis <jdanis@google.com>	Thu Sep 24 08:55:28 2020 -0700
committer	Xin Li <delphij@google.com>	Thu Oct 01 05:33:31 2020 +0000
tree	f52ce32ec3ca6eb0c0473ac0cec9addc8e6a7fa8
parent	cc932836c1d7266171d644f4a74a2030824602dd [diff] [blame]